@danielblomma/cortex-mcp 1.7.1 → 2.0.2

package/scaffold/mcp/src/enterprise/tools/walk.ts

@@ -0,0 +1,79 @@
+import { readdirSync, statSync } from "node:fs";
+import { join, relative, sep } from "node:path";
+
+// Directories skipped while walking the project for a scope=all review.
+// Common build/vendor conventions across JS/Python/Go/Rust/C#/Java
+// ecosystems; keep permissive enough that individual validators still do
+// their own per-language filtering.
+const EXCLUDED_DIRS = new Set([
+  "node_modules",
+  ".git",
+  "dist",
+  "build",
+  ".next",
+  "target",
+  "bin",
+  "obj",
+  ".venv",
+  "venv",
+  "__pycache__",
+  ".nuxt",
+  "vendor",
+  ".terraform",
+  "coverage",
+  ".cache",
+  ".turbo",
+]);
+
+const TEXT_EXT_RE =
+  /\.(?:ts|tsx|js|jsx|mjs|cjs|json|ya?ml|toml|ini|env|config|xml|properties|tf|tfvars|sh|ps1|py|cs|vb|java|go|rs|rb|php|sql|md|txt|html?|css|scss|less)$/i;
+
+// Extensionless text files the secrets validator cares about: dotenv
+// variants and .NET appsettings.*
+const PATH_EXTRA_RE = /(?:^|\/)\.env(?:\.|$)|(?:^|\/)appsettings(?:\.|$)/i;
+
+const DEFAULT_MAX_FILES = 10_000;
+
+export type WalkOptions = {
+  maxFiles?: number;
+};
+
+// Recursively list project-relative text file paths under `root`. Used as
+// the file set for scope=all reviews and as a fallback when scope=changed
+// cannot resolve a git diff (non-git working copy, git missing, etc.).
+export function walkProjectFiles(root: string, options: WalkOptions = {}): string[] {
+  const maxFiles = options.maxFiles ?? DEFAULT_MAX_FILES;
+  const results: string[] = [];
+
+  function walk(dir: string): void {
+    if (results.length >= maxFiles) return;
+    let entries: string[];
+    try {
+      entries = readdirSync(dir);
+    } catch {
+      return;
+    }
+    for (const name of entries) {
+      if (results.length >= maxFiles) return;
+      if (EXCLUDED_DIRS.has(name)) continue;
+      const abs = join(dir, name);
+      let st;
+      try {
+        st = statSync(abs);
+      } catch {
+        continue;
+      }
+      if (st.isDirectory()) {
+        walk(abs);
+      } else if (st.isFile()) {
+        const rel = relative(root, abs).split(sep).join("/");
+        if (TEXT_EXT_RE.test(rel) || PATH_EXTRA_RE.test(rel)) {
+          results.push(rel);
+        }
+      }
+    }
+  }
+
+  walk(root);
+  return results;
+}

package/scaffold/mcp/src/enterprise/violations/push.ts

@@ -0,0 +1,102 @@
+/**
+ * Push policy violations to the Cortex Cloud API.
+ *
+ * Uses the same endpoint/api_key as policy sync since
+ * violations require the "policy" scope.
+ */
+type ViolationItem = {
+  rule_id: string;
+  severity: "error" | "warning" | "info";
+  message: string;
+  file_path?: string;
+  metadata?: string;
+  occurred_at: string;
+};
+
+export type ViolationPushContext = {
+  repo?: string;
+  instance_id?: string;
+  session_id?: string;
+};
+
+export type ViolationPushResult = {
+  success: boolean;
+  count: number;
+  error?: string;
+};
+
+const pending: ViolationItem[] = [];
+let activeContext: ViolationPushContext = {};
+
+export function setViolationPushContext(context: ViolationPushContext): void {
+  activeContext = { ...context };
+}
+
+/**
+ * Queue a violation for the next push.
+ */
+export function queueViolation(item: ViolationItem): void {
+  pending.push(item);
+}
+
+/**
+ * Push all queued violations to cortex-web.
+ * Fire-and-forget — errors are logged but do not throw.
+ */
+export async function pushViolations(
+  baseUrl: string,
+  apiKey: string,
+): Promise<ViolationPushResult> {
+  if (pending.length === 0) {
+    return { success: true, count: 0 };
+  }
+
+  if (!baseUrl || !apiKey) {
+    return { success: false, count: 0, error: "endpoint or api_key not configured" };
+  }
+
+  const violationsUrl = `${baseUrl.replace(/\/$/, "")}/api/v1/violations/push`;
+
+  const batch = pending.splice(0, 100); // max 100 per push
+
+  try {
+    const response = await fetch(violationsUrl, {
+      method: "POST",
+      headers: {
+        "Authorization": `Bearer ${apiKey}`,
+        "Content-Type": "application/json",
+        "Accept": "application/json",
+      },
+      body: JSON.stringify({
+        repo: activeContext.repo,
+        instance_id: activeContext.instance_id,
+        session_id: activeContext.session_id,
+        violations: batch,
+      }),
+      signal: AbortSignal.timeout(10_000),
+    });
+
+    if (!response.ok) {
+      // Put them back so they can be retried
+      pending.unshift(...batch);
+      return { success: false, count: 0, error: `HTTP ${response.status}` };
+    }
+
+    return { success: true, count: batch.length };
+  } catch (err) {
+    // Put them back for retry
+    pending.unshift(...batch);
+    return {
+      success: false,
+      count: 0,
+      error: err instanceof Error ? err.message : "unknown error",
+    };
+  }
+}
+
+/**
+ * Return the current queue length (for diagnostics).
+ */
+export function pendingCount(): number {
+  return pending.length;
+}

package/scaffold/mcp/src/enterprise/workflow/push.ts

@@ -0,0 +1,60 @@
+import type { WorkflowState } from "./state.js";
+
+export type WorkflowPushContext = {
+  repo?: string;
+  instance_id?: string;
+  session_id?: string;
+};
+
+export type WorkflowPushResult = {
+  success: boolean;
+  status?: number;
+  error?: string;
+};
+
+let activeContext: WorkflowPushContext = {};
+
+export function setWorkflowPushContext(context: WorkflowPushContext): void {
+  activeContext = { ...context };
+}
+
+export async function pushWorkflowSnapshot(
+  baseUrl: string,
+  apiKey: string,
+  workflow: WorkflowState
+): Promise<WorkflowPushResult> {
+  if (!baseUrl || !apiKey) {
+    return { success: false, error: "endpoint or api_key not configured" };
+  }
+
+  const workflowUrl = `${baseUrl.replace(/\/$/, "")}/api/v1/workflow/push`;
+
+  try {
+    const response = await fetch(workflowUrl, {
+      method: "POST",
+      headers: {
+        "Authorization": `Bearer ${apiKey}`,
+        "Content-Type": "application/json",
+        "Accept": "application/json",
+      },
+      body: JSON.stringify({
+        repo: activeContext.repo,
+        instance_id: activeContext.instance_id,
+        session_id: activeContext.session_id,
+        workflow,
+      }),
+      signal: AbortSignal.timeout(10_000),
+    });
+
+    if (!response.ok) {
+      return { success: false, status: response.status, error: `HTTP ${response.status}` };
+    }
+
+    return { success: true, status: response.status };
+  } catch (err) {
+    return {
+      success: false,
+      error: err instanceof Error ? err.message : "unknown error",
+    };
+  }
+}